It even has a good chance to be cheaper than the current unix model, since in a practical setup there would only be a few (compiled) rulesets in effect (still hundreds, but a lot less than actual dentries). One could possibly cache a pointer to the list of effective rules to a dentry/inode (depending on how the rules are to be applied, this is semantics, but I suspect you'd want them on the inode level).
But the decoupling of the details from every single inode can probably be done without any real performance impact (and possibly even performance gains). Whether you use hierarchical ACLs or matching rules shouldn't really make a difference and constant tree traversals shouldn't be necessary when done at the VFS level.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds